OUTBOX: Creating EWS Service Accounts in Office 365

I’ve been asked this several times and the question usually goes something like this…

Hey Matt, I’m trying to follow the instructions on MSDN for setting up ApplicationImpersonation in Exchange 2010 for my service account in Exchange Online in Office 365 but New-ManagementRoleAssignment isn’t available – what gives?

…To be honest, I haven’t looked too deep into why that particular cmdlet doesn’t work in Office 365.  The reason I haven’t looked too deep into this is that regardless of the availability of this cmdlet, I prefer to recommend a different, more RBAC-centric approach.

Using New-RoleGroup instead, you can still assign the permissions in one line but instead of simply creating an assignment you define and name a role group.  This makes management and identification of the accounts and permissions tied to your solution a lot easier.  Take a look at the following command…

New-RoleGroup -Name "Contoso Service Accounts" -Roles ApplicationImpersonation –Members ContosoServiceAccountName

First, this cmdlet creates a role group with an identifiable name, “Contoso Service Accounts”.  Then the second portion assigns roles to that group which in this case only includes ApplicationImpersonation but could include more.  Lastly, an account is added as a member of the RoleGroup to give it all the permissions associated with it.  This would be helpful in the case where you need multiple service accounts to handle your application load – you simply add/remove service accounts as members to this group as needed for quick provisioning.  This also makes it easy for administrators to understand which accounts are related to your product and what they can do.